Blog

Nemucod meets a new buddy: PHP

We have already written about Nemucod downloader when it was paired with 7-Zip, this time we have spotted a new variant in the wild that appears to be a further evolution from previous versions. Before we dig into the analysis part, let’s take a quick look at the most recent history of Nemucod:

Mar/2016: Nemucod adds a ransomware routine and begins to encrypt files through a simple XOR encryption, a 255 bytes hardcoded key found inside the downloaded executable. The “header” of each file (2048 bytes) are encrypted;

Apr/2016: Next Nemucod downloads a 7-Zip CLI version that is used to build a 7zip archive with a password of 36 bytes in length;

Apr/2016: After the 7-Zip variant, Nemucod starts to download a custom executable, again used to encrypt files with xor. This time though the key (36 bytes in length) is dynamically generated by the Javascript and passed as an argument to the executable, in order to perform the encryption of the first 1024 bytes of each targeted file;

May/2016: A small change is added to Nemucod that starts again to encrypt 2048 bytes instead of 1024 bytes and the key length is 255 bytes;

Today: Nemucod uses a PHP script to accomplish the encryption task.

Email

Similarly to previous versions, Nemucod is spread through spam mails. For this variant a sample email looks like this:

Attached there is a zip with the usual Javascript (MD5: 6597B295B59704DAB0ECB705D291DF09).

Javascript analysis

The Javascript code inside the zip archive is obviously obfuscated. After the deobfuscation we can retrieve the code that looks similar to the one analyzed in our previous analysis. The first immediate difference is the presence of the php word:

The loop downloads 5th file and only the last 3 files are responsible for the encryption process.

If we take a look at the end of the deobfuscated code, we can notice that the execution of the 3rd file happens through the ws.Run() command:

ws.Run("%COMSPEC% /c " + fn + ".exe " + cq + fn + ".php" + cq, 0, 1);

that becomes::

ws.Run("cmd.exe /c a.exe "a.php"" , 0, 1);

It’s clear at this point that a.exe file accepts a PHP script. Analyzing the a.exe file we have indeed found evidence that we are dealing with a PHP interpreter.

The executable is actually the official PHP interpreter (ver. 4.4.9) (MD5: 9F13CC0B1B3B03CBEFD8141E5F50B1C1 – a copy can be found here). Taking a look at php.exe dependencies as well as a.exe’s, we can find a DLL called php4ts.dll. This is in fact the 4th file which is downloaded.

The PHP code is quite straightforward: a for loop which calls the Tree function, and of course the Tree function body.

The variable $k contains the base64_decode function result of an hardcoded string. After that, the function checks if the path, which is passed as argument to the function itself, contains one of the followings terms:

if a match is found, the function returns, otherwise the scan moves forward. When a suitable folder is found, it is opened, togethers with its subfolders and the files matching the selected extensions are encrypted. The encryption stage XORs the file’s content with one byte of the $k variable. The $k variable length for this sample is 102 bytes.

In this variant the targeted file’s extension, after encryption, is changed to .crypted. The extensions targeted are currently 122: